meny

Fines and warnings

What fines can be imposed for contravening the General Data Protection Regulation?

The Swedish Data Protection Authority can decide that a company that contravenes the General Data Protection Regulation must pay an administrative fine. The fine can at most amount to 20 million EUR or four per cent of the company's global annual turnover depending on which amount is the higher. In the case of somewhat lesser infringements the maximum fine is 10 million EUR or 2 per cent of the company's global annual turnover. It will probably not be common for the Swedish Data Protection Authority to impose maximum fines.

How high the fine is depends both on which provision the infringement concerns and on the circumstances in the individual case. The Swedish Data Protection Authority will among other things look at how serious the infringement is, how much harm has been caused, if sensitive personal data is involved, and if the infringement is intentional. The Swedish Data Protection Authority must ensure that any fine is effective, proportional and deterrent. For this reason, the company's size, for example, can also be of importance.

In Sweden, authorities must also be able to be fined. For less serious infringements the fine is to amount to a maximum of 5 million SEK and for serious infringements a maximum of 10 million SEK.

The Swedish Data Protection Authority can also issue warnings if a planned instance of personal data processing will likely contravene the Regulation's provisions. The authority can issue reprimands if an ongoing instance of personal data processing contravenes the provisions and can also order a company or other organisation to for example cease a certain instance of processing.

The Swedish Data Protection Authority's decision can be appealed.

Swedish version
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.